[Webkit-unassigned] [Bug 181934] New: WebKitGTK/JavaScriptCore segfault with CrashOnOverflow
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 22 07:55:24 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=181934
Bug ID: 181934
Summary: WebKitGTK/JavaScriptCore segfault with CrashOnOverflow
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sevendays37 at gmail.com
Crashes on the latest version of WebKitGTK/JavaScriptCore (both on debug/release build).
Here is the input code.
function foo(v1, v2)
{
throw JSON.stringify(v1) + JSON.stringify(v2);
}
function func_0() {
try {
foo(func_0(func_0), 1);
} catch (func_0) {
return func_0;
}
}
func_0();
It seems that this code causes integer overflow at StringBuilderJSON.cpp:85
85 maximumCapacityRequired += 2 + stringLength * 6;
(gdb) r
Starting program: /data/WebKit/WebKitBuild/Debug/bin/jsc test.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff0cef700 (LWP 15461)]
[New Thread 0x7fffaf6ff700 (LWP 15462)]
[New Thread 0x7fffaeefe700 (LWP 15463)]
[New Thread 0x7fffad9ff700 (LWP 15464)]
[New Thread 0x7fffad1fe700 (LWP 15465)]
[New Thread 0x7fffac9fd700 (LWP 15466)]
[New Thread 0x7fffa7fff700 (LWP 15467)]
[New Thread 0x7fffa77fe700 (LWP 15468)]
[New Thread 0x7fffa6ffd700 (LWP 15469)]
[New Thread 0x7fffa67fc700 (LWP 15470)]
1 0x7ffff6d6a123 WTFCrash
2 0x46764e WTF::CrashOnOverflow::hasOverflowed() const
3 0x467645 WTF::CrashOnOverflow::crash()
4 0x7ffff5f5ba90 JSC::CompleteSubspace* JSC::JSCell::subspaceFor<JSC::JSSet>(JSC::VM&)
5 0x7ffff6dc29fc
6 0x7ffff6dc250f
7 0x7ffff6dc21d5 WTF::StringBuilder::appendQuotedJSONString(WTF::String const&)
8 0x7ffff6a3e4b8 JSC::Stringifier::appendStringifiedValue(WTF::StringBuilder&, JSC::JSValue, JSC::Stringifier::Holder const&, JSC::PropertyNameForFunctionCall const&)
9 0x7ffff6a3ddf9 JSC::Stringifier::stringify(JSC::JSValue)
10 0x7ffff6a40c1e JSC::JSONProtoFuncStringify(JSC::ExecState*)
11 0x7fffb02ff178
Thread 1 "jsc" received signal SIGSEGV, Segmentation fault.
0x00007ffff6d6a128 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272
272 *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0 0x00007ffff6d6a128 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:272
#1 0x000000000046764e in WTF::CrashOnOverflow::crash () at ../../Source/WTF/wtf/CheckedArithmetic.h:85
#2 0x0000000000467645 in WTF::CrashOnOverflow::overflowed () at ../../Source/WTF/wtf/CheckedArithmetic.h:78
#3 0x00007ffff5f5ba90 in WTF::Checked<unsigned int, WTF::CrashOnOverflow>::Checked (this=0x7fffffc1e310)
at ../../Source/WTF/wtf/CheckedArithmetic.h:462
#4 0x00007ffff6dc29fc in WTF::operator*<unsigned int, int, WTF::CrashOnOverflow> (lhs=..., rhs=...)
at ../../Source/WTF/wtf/CheckedArithmetic.h:745
#5 0x00007ffff6dc250f in WTF::operator*<unsigned int, int, WTF::CrashOnOverflow> (lhs=..., rhs=6)
at ../../Source/WTF/wtf/CheckedArithmetic.h:761
#6 0x00007ffff6dc21d5 in WTF::StringBuilder::appendQuotedJSONString (this=0x7fffffc1e5b0, string=...)
at ../../Source/WTF/wtf/text/StringBuilderJSON.cpp:85
#7 0x00007ffff6a3e4b8 in JSC::Stringifier::appendStringifiedValue (this=0x7fffffc1e6c0, builder=..., value=...,
holder=..., propertyName=...) at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:360
#8 0x00007ffff6a3ddf9 in JSC::Stringifier::stringify (this=0x7fffffc1e6c0, value=...)
at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:275
#9 0x00007ffff6a40c1e in JSC::JSONProtoFuncStringify (exec=0x7fffffc1e9f0)
at ../../Source/JavaScriptCore/runtime/JSONObject.cpp:841
#10 0x00007fffb02ff178 in ?? ()
#11 0x00007fffffc1ea70 in ?? ()
#12 0x00007ffff67b5a47 in llint_entry () at ../../Source/JavaScriptCore/runtime/Butterfly.h:52
Backtrace stopped: frame did not save the PC
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180122/f603bbd1/attachment-0001.html>
More information about the webkit-unassigned
mailing list